The cybersecurity landscape is constantly changing to address new threats, including the methods we use to protect our data and resources. Passwords, still in popular use today, are widely known to be insecure. X.509 certificates are a perfect candidate to become the new authentication standard, replacing passwords, for a number of reasons.
Certificates are convenient, secure, and compatible with a range of applications. In this article, we’re going to examine X.509 certificates and explain why they’re superior to traditional credential-based authentication.
What is an X.509 Certificate and Why is it Important?
An X.509 certificate is a widely used digital certificate format based on asymmetric cryptography. Each certificate uses a pair of encryption keys known as the public and private key.
In a nutshell, the private key on a certificate can generate encryption that can only be decrypted by its public key partner. The private key is kept by the certificate holder while the public key can be freely distributed. Since only one person – the holder of the private key – could possibly generate encryptions the public key can decrypt, it serves as the ultimate verification of the message sender’s identity.
Certificates can be used as an authentication method for numerous different resources. Wi-Fi is a common application for certificate-based authentication, but certificates can also be applied to VPNs and to web applications. They can even be used to encrypt and sign emails, verifying that the email is truly from the person it says sent it through a protocol called S/MIME.
Certificates are issued by trustworthy sources called Certificate Authorities (CAs). A CA is responsible for verifying the identity of the person or device requesting a certificate, as well as ensuring that they are only distributed to approved entities.
Network administrators can create certificate templates with attributes that designate what a certificate does and how it will be used. Once a user requests a certificate, the CA will generate a public-private key pair through asymmetric encryption, with their public key attached to that certificate.
X.509 Certificate Attributes/fields
Each certificate has a number of attributes and fields that provide some information about the user, the issuer, and the cryptographic parameters of the certificate itself. Here are some examples of common certificate fields and what they mean:
- Subject: The name of the user or device the certificate is being issued to.
- Serial Number: An identifying number that the CA assigns to each certificate it issues.
- Signature Algorithm: The private key’s algorithm, which is usually RSA 2048.
- Validity: A date range in which the certificate is considered valid.
- Issuer: The issuing CA’s name.
- DNS: Used to imprint the certificate with the device’s information.
- Other Name: User principal name. This field is usually used to indicate the user’s identity for Wi-Fi connections specifically.
- RFC822: An email address associated with the user.
The attributes on a certificate play a key part in role-based access control. Since these attributes vary from user to user, network administrators can designate varying levels of access based on those attributes through network access control with our Dynamic Cloud RADIUS.
For example, you could grant access to a specific resource based on the issuing CA and have different CAs for different departments in your organization. When a user is authenticated, SecureW2’s Cloud RADIUS will apply the appropriate network policy based on their certificate attributes.
How Does X.509 Certificate Authentication Work?
Once an entity has been issued an X.509 certificate by the CA, that certificate is attached to it like a photo ID badge. It cannot be lost or stolen, unlike insecure passwords. With the badge analogy in mind, you can easily picture how authentication works: the certificate is essentially “flashed” like an ID at the resource requiring authentication.
You can take your authentication a step further by implementing a RADIUS server alongside your certificates. RADIUS servers function like a guard that checks photo IDs (certificates) by quickly cross referencing them with a Certificate Revocation List (CRL). Much like the name implies, a CRL is a list of certificates that have been revoked for any number of reasons, such as the user leaving the company.
If the certificate is on the CRL, the user is rejected. As long as the certificate is valid (unexpired and unrevoked), the person is quickly and accurately granted access. Click here to learn more about how RADIUS works.
Why Use X.509 Certificates?
Certificates offer a range of solid security benefits to those who implement them. The main benefit, however, is that they take the place of passwords in authentication. In other words, they grant secure, passwordless access to resources like Wi-Fi and VPNs.
It’s easy to see why going passwordless is so convenient. Certificates eliminate the need to remember existing passwords or create new, complex ones once previous passwords expire.
Since certificates are tied to specific devices and users, and cannot be transferred, they also function as an accurate way of verifying who is accessing your organization’s resources. You can be sure only approved users are logging onto your Wi-fi, VPN, or applications. Additionally, certificate-based authentication creates event logs in RADIUS, so you can audit activity on your network – a functionality that passwords lack.
This dovetails nicely into the increasingly popular cybersecurity concept of Zero Trust. Zero Trust, at its core, means always verifying users as opposed to blindly trusting them with limitless access to company resources. With X.509 certificates, you’re able to segment your employees using role-based access control, granting them differing levels of network access and designating specific certificate attributes accordingly.
Another bonus to certificates is that they make digital signatures possible as a direct result of the public and private key pair mentioned previously. Because data sent by a user with a valid certificate can only be decrypted by the certificate’s public key, you can be certain that it came from the user in question.
Passwords vs Certificates
Passwords have been a ubiquitous security standard for decades. The problem is, they’re far from secure. In fact, the 2018 IT and Password Security Survey Report found that over 10 million username and password attacks occur on a daily basis. So, what exactly is it that makes passwords such a desirable target?
There are plenty of reasons why passwords are so vulnerable. For example, poor password management is one factor, which includes using the same password repeatedly, storing passwords where others can access them, and sharing passwords with friends and coworkers.
Password change policies, although utilized with good intentions, contribute to password frustrations, too. Having to come up with new, sophisticated passwords every few months can be both challenging and time-consuming. Many people simply end up recycling passwords to save time.
Implementing X.509 Certificates
How do you enroll for an X.509 certificate?
You can’t simply conjure an X.509 certificate alone out of the ether. Each certificate is issued to a device or user by a CA, which is an integral part of a Public Key Infrastructure (PKI).
PKIs consist of several components that help you create, issue, and manage certificates. Those components include the following:
- Public-Private Key Pairs
- Certificate Authorities
- Certificate Stores
- Certificate Revocation Lists (CRL)
- Optional: Hardware Security Module
Simply put, if you’re going to issue certificates to users, you’re going to need a PKI. Building and maintaining your own PKI is labor-intensive, requiring time, money, and a high degree of cybersecurity expertise. Although it is certainly possible to construct your own with services such as Microsoft’s Active Directory Certificate Services (ADCS), using a pre-built PKI like SecureW2’s managed PKI (MPKI) tends to be more economical in terms of both money and time.
When you use our MPKI, you get everything you need to set up certificate-based authentication for your organization. Plus, SecureW2 has built an amazingly user-friendly GUI that hands you the keys to your PKI kingdom, making it simple for you to manage the whole certificate lifecycle from issuance to revocation.
How is an X.509 certificate revoked?
There’s an old saying that can be applied to many aspects of life, including network security: the only constant in life is change. Similarly, any authentication method you utilize needs to be flexible; if it is rigid and unchanging, you’ll become vulnerable in time.
You likely wouldn’t want a certificate to stay valid indefinitely. What if the user in question leaves the company or the user’s device is stolen? The answer to this issue is certificate revocation.
With a robust PKI in place, revoking certificates is as easy as adding them to the CRL. Once a certificate is placed on the CRL, the certificate will be considered invalid for authentication. This is another reason why SecureW2’s managed PKI is so helpful; the easily navigable GUI provides important context around the user and certificate, ensuring that you’re able to find and revoke all associated certificates. You can also set certificates to expire automatically at specific intervals or revoke them manually.
The New Golden Standard of Network Security: Certificate-Based Authentication
Passwords are a significant attack vector in the modern era. Ditching them entirely with certificate-based authentication greatly increases the security of your network. As an extra benefit, users also get to enjoy the convenience of passwordless authentication.
Historically, IT specialists have eschewed wide certificate use for fear that PKIs were more trouble than they’re worth. With SecureW2’s full suite of PKI services, however, managing a PKI is absolutely painless. You can set up your managed PKI for your organization in as little as an hour. Click here to read about how one of our customers made the switch to certificates with SecureW2’s cloud-managed PKI.